Vulners
Lucene search
Creative Contact Form 4.6.2 Directory Traversal
🗓️ 08 Mar 2020 00:00:00Reported by Wolfgang HotwagnerType 
packetstorm🔗 packetstormsecurity.com👁 158 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Creative Contact Form 4.6.2 Directory Traversal Vulnerability | 8 Mar 202000:00 | – | zdt |
 | Creative Contact Form extension path traversal vulnerability | 9 Mar 202000:00 | – | cnvd |
 | CVE-2020-9364 | 4 Mar 202015:58 | – | cve |
 | CVE-2020-9364 | 4 Mar 202015:58 | – | cvelist |
 | EUVD-2020-30185 | 7 Oct 202500:30 | – | euvd |
 | CVE-2020-9364 | 4 Mar 202016:15 | – | nvd |
 | Directory traversal | 4 Mar 202016:15 | – | prion |
 | PT-2020-20612 · Creative · Creative Contact Form | 4 Mar 202000:00 | – | ptsecurity |
 | CVE-2020-9364 | 22 May 202517:34 | – | redhatcve |
`# Directory Traversal in Creative Contact Form
## Overview
* Identifier: AIT-SA-20200301-01
* Target: Creative Contact Form (for Joomla)
* Vendor: Creative Solutions
* Version: 4.6.2 (before Dec 03 2019)
* CVE: CVE-2020-9364
* Accessibility: Remote
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
## Summary
[Creative Contact Form](https://creative-solutions.net/) is a responsive jQuery contact form for the Joomla content-management-system.
## Vulnerability Description
A directory traversal vulnerability resides inside the mailer component of the Creative Contact Form for Joomla. An attacker could exploit this vulnerability to receive any files from the server via e-mail.
The vulnerable code is located in "helpers/mailer.php" at line 290:
```
if(isset($_POST['creativecontactform_upload'])) {
if(is_array($_POST['creativecontactform_upload'])) {
foreach($_POST['creativecontactform_upload'] as $file) {
// echo $file.'--';
$file_path = JPATH_BASE . '/components/com_creativecontactform/views/creativeupload/files/'.$file;
$attach_files[] = $file_path;
}
}
}
```
If an attacker puts "../../../../../../../../etc/passwd" into $_POST['creativecontactform_upload'], and enables "Send me a copy", the contact-form would send him the content of /etc/passwd via email.
_Note: this vulnerability might not be exploitable in the free version of Creative Contact Form since it does not allow "Send copy to sender"._
## Vulnerable Versions
Creative Contact Form Personal/Professional/Business 4.6.2 (before Dec 3 2019)
## Impact
An unauthenticated attacker could receive any file from the server
## Mitigation
Update to the current version
## References:
* https://nvd.nist.gov/vuln/detail/CVE-2020-9364
## Vendor Contact Timeline
* `2019-12-02` Contacting the vendor
* `2019-12-02` Vendor published a fixed version
* `2019-03-01` Public disclosure
## Advisory URL
[https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form](https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Mar 2020 00:00Current
5.4Medium risk
Vulners AI Score5.4
EPSS0.00536